policy/modules/system/getty.te

   1 policy_module(getty, 1.8.1)
   2
   3 ########################################
   4 #
   5 # Declarations
   6 #
   7
   8 type getty_t;
   9 type getty_exec_t;
  10 init_domain(getty_t, getty_exec_t)
  11 init_system_domain(getty_t, getty_exec_t)
  12 domain_interactive_fd(getty_t)
  13
  14 type getty_etc_t;
  15 typealias getty_etc_t alias etc_getty_t;
  16 files_config_file(getty_etc_t)
  17
  18 type getty_lock_t;
  19 files_lock_file(getty_lock_t)
  20
  21 type getty_log_t;
  22 logging_log_file(getty_log_t)
  23
  24 type getty_tmp_t;
  25 files_tmp_file(getty_tmp_t)
  26
  27 type getty_var_run_t;
  28 files_pid_file(getty_var_run_t)
  29
  30 ########################################
  31 #
  32 # Getty local policy
  33 #
  34
  35 # Use capabilities.
  36 allow getty_t self:capability { dac_override chown setgid sys_resource sys_tty_config fowner fsetid };
  37 dontaudit getty_t self:capability sys_tty_config;
  38 allow getty_t self:process { getpgid setpgid getsession signal_perms };
  39 allow getty_t self:fifo_file rw_fifo_file_perms;
  40
  41 read_files_pattern(getty_t, getty_etc_t, getty_etc_t)
  42 read_lnk_files_pattern(getty_t, getty_etc_t, getty_etc_t)
  43 files_etc_filetrans(getty_t, getty_etc_t,{ file dir })
  44
  45 allow getty_t getty_lock_t:file manage_file_perms;
  46 files_lock_filetrans(getty_t, getty_lock_t, file)
  47
  48 allow getty_t getty_log_t:file manage_file_perms;
  49 logging_log_filetrans(getty_t, getty_log_t, file)
  50
  51 allow getty_t getty_tmp_t:file manage_file_perms;
  52 allow getty_t getty_tmp_t:dir manage_dir_perms;
  53 files_tmp_filetrans(getty_t, getty_tmp_t, { file dir })
  54
  55 manage_files_pattern(getty_t, getty_var_run_t, getty_var_run_t)
  56 files_pid_filetrans(getty_t, getty_var_run_t, file)
  57
  58 kernel_read_system_state(getty_t)
  59
  60 # these two needed for receiving faxes
  61 corecmd_exec_bin(getty_t)
  62 corecmd_exec_shell(getty_t)
  63
  64 dev_read_sysfs(getty_t)
  65
  66 files_rw_generic_pids(getty_t)
  67 files_read_etc_runtime_files(getty_t)
  68 files_read_etc_files(getty_t)
  69 files_search_spool(getty_t)
  70
  71 fs_search_auto_mountpoints(getty_t)
  72 # for error condition handling
  73 fs_getattr_xattr_fs(getty_t)
  74
  75 mcs_process_set_categories(getty_t)
  76
  77 mls_file_read_all_levels(getty_t)
  78 mls_file_write_all_levels(getty_t)
  79
  80 # Chown, chmod, read and write ttys.
  81 term_use_all_ttys(getty_t)
  82 term_use_unallocated_ttys(getty_t)
  83 term_setattr_all_ttys(getty_t)
  84 term_setattr_unallocated_ttys(getty_t)
  85 term_setattr_console(getty_t)
  86 term_use_console(getty_t)
  87
  88 auth_rw_login_records(getty_t)
  89 auth_use_nsswitch(getty_t)
  90
  91 init_rw_utmp(getty_t)
  92 init_use_script_ptys(getty_t)
  93 init_dontaudit_use_script_ptys(getty_t)
  94
  95 locallogin_domtrans(getty_t)
  96
  97 logging_send_syslog_msg(getty_t)
  98
  99 miscfiles_read_localization(getty_t)
 100
 101 ifdef(`distro_gentoo',`
 102         # Gentoo default /etc/issue makes agetty
 103         # do a DNS lookup for the hostname
 104         sysnet_dns_name_resolve(getty_t)
 105 ')
 106
 107 ifdef(`distro_redhat',`
 108         # getty requires sys_admin #209426
 109         allow getty_t self:capability sys_admin;
 110 ')
 111
 112 ifdef(`distro_ubuntu',`
 113         optional_policy(`
 114                 unconfined_domain(getty_t)
 115         ')
 116 ')
 117
 118 tunable_policy(`console_login',`
 119         # Support logging in from /dev/console
 120         term_use_console(getty_t)
 121 ',`
 122         term_dontaudit_use_console(getty_t)
 123 ')
 124
 125 optional_policy(`
 126         mta_send_mail(getty_t)
 127 ')
 128
 129 optional_policy(`
 130         ppp_domtrans(getty_t)
 131 ')
 132
 133 optional_policy(`
 134         rhgb_dontaudit_use_ptys(getty_t)
 135 ')
 136
 137 optional_policy(`
 138         udev_read_db(getty_t)
 139 ')